banIP support thread

GM,

ok current situation via picture:

There are some entries.
After 3m 35 sec the entries will be deleted.
When there are too many entries I stopp the "refreshing mode" but for less entries I will pickup the information of the entries and often 3m 35sec are to low to analyse the log entries.

There is no dedicated banIP log - it puts messages into syslog.

OpenWRT has two main logs: kernel and syslog. By default syslog is held in RAM and is a ring buffer of a fixed size with the oldest entries getting overwritten as new ones come in. The log is usually viewed from Status -> System log. Some settings are available at System -> System -> Logging tab. One is the size. Increase it to keep more messages around before they get overwritten. Some packages let you configure how much and how detailed the log entries they produce are. Adjusting them to not put so much in the log will increase the time before old log entries are overwritten.

2 Likes

Thank you for clarification. I'll increase the value from 64 to 128.

neuro

...looks much better...thanks again...

neuro

I have no idea, just enable logging of pre routing packets and check it on your own. If in doubt, turn the UDP-safeguard off and test again.

FYI, in master branch the default has been recently raised to 128 as well ...

Checked it and this is not the reason for the speed drop. I've just tried another VPN provider and there are no drops. Looks like the other VPN provider implemented a speed filtering so not many consecutive tests can be run in a row.

1 Like

Hi everyone.

I have just installed openwrt 23.05.5 on my raspberry pi 4. Everything else looks ok except that banip luci pages are missing Save/Apply button bar...

This an example how it should look like (it's from the adblock luci page).

Below are some details on the versions:

  • banip 1.0.0-9
  • luci-app-banip git-24.208.74923-2780972
  • LuCI openwrt-23.05 branch (git-24.264.56413-c7a3562)
  • OpenWrt 23.05.5 (r24106-10cc5fcd00)

Thank you in advance for your help!

It's not missing but was actually removed (it's mentioned in the readme of banip).

After doing changes, click the "Restart" and it will save the changes and restart BanIP.

Thank you very much for pointing this out!

I went back and skimmed over the readme file (searched for words 'save', 'apply', 'restart') and couldn't find the reference you've mentioned.

I really like the plugin and I am extremely grateful for the work invested in it. I need to ask, for my own reference, is it really beneficial/justified to change the general "control flow" of luci for banip? We will have one plugin behaving completely in a custom way compared to everything else in luci (it might be that there are other plugins implementing these custom controls that I'm not aware of).

Thanks one more time!

Hi again.

Could someone please confirm how banip works in the following scenario?
I tried to understand this on my own, and have found some mentions about it from earlier period of banip development, but I simply am not sure I understand completely.

So, let's imagine I block one whole country in banip, China for example.
My intention is to prevent excessive IP scans that I get everyday on my the static IP that's assigned to my home internet connection.
Would I still be able to connect to the Aliexpress, Temu, etc. (China-based sites)? Is that what the option "Automatically add resolved domains and uplink IPs to the local banIP allowlist." means under "Overview->Feed Selection->Local Feed Settings"?

I remember there were some iptables rules that would essentially said, allow any incoming wan connection that is a response to a request that originated from the lan. Reject everything else from wan.

Is this how it works or, if not, is it even possible to achieve something like that?

Thanks!

By default, BanIP will have a higher priority than your standard firewall rules. Additionally, if you have Country (geo) blocks, outbound traffic would also automatically be blocked from your LAN FWD. To exempt certain sites for which IPs are part of a block list, you would need to whitelist the them (FQDNs, or IPs ) individually in your Allowlist. Note that some sites may use resources called upon from secondary FQDNs / IPs ( ex. www.example.com / customer.example.com or third party external pages / APIs etc. )
What I mean by that is you may find that while you are able to connect to a site, some components are missing or not functional. It may be necessary for you to turn on verbose logging of LAN FWD in BanIP so you can see realtime what else is being blocked as you access and test the initial whitelisted site.

1 Like

You can control each ban feed on how it blocks your firewall from here (see definition in Readme - Main Features

1 Like

Sorry but I have to come back with the same issue:
2 cases:
1.) Standard connection wan - DSL - the filters set in banip take effect - everything fine!
2.) Failover with DSL(wan) and 5G(WAN_5G) - I removed the filters from allowlist(set via case1), deleted the tmp directory, cleared the browser cache and still I can access the banned URLs
Where is my configuration error?

config banip 'global'
	option ban_enabled '1'
	option ban_debug '1'
	option ban_autodetect '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	option ban_fetchretry '5'
	option ban_nicelimit '0'
	option ban_filelimit '1024'
	option ban_deduplicate '1'
	option ban_nftpriority '-100'
	option ban_icmplimit '10'
	option ban_synlimit '10'
	option ban_udplimit '100'
	option ban_nftpolicy 'memory'
	option ban_blocktype 'drop'
	option ban_nftloglevel 'warn'
	option ban_logprerouting '0'
	option ban_loginput '1'
	option ban_logforwardwan '1'
	option ban_logforwardlan '1'
	option ban_loglimit '100'
	list ban_region 'AFRINIC'
	list ban_region 'APNIC'
	list ban_region 'ARIN'
	list ban_region 'LACNIC'
	list ban_region 'RIPE'
	option ban_autoallowlist '1'
	option ban_autoallowuplink 'subnet'
	option ban_autoblocklist '1'
	option ban_allowlistonly '0'
	option ban_fetchcmd 'uclient-fetch'
	option ban_protov4 '1'
	list ban_ifv4 'WAN2_5G'
	list ban_ifv4 'wan'
	list ban_dev 'lan1'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ca-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/fi-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/de-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ie-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/no-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/pl-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/se-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/ch-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/gb-aggregated.zone'
	list ban_allowurl 'https://www.ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone'
	list ban_feed 'asn'
	list ban_feed 'country'
	list ban_trigger 'wan'
	list ban_trigger 'WAN2_5G'
	list ban_asn '133478'
	list ban_asn '45090'

The cause may be here:

	list ban_ifv4 'WAN2_5G'
	list ban_ifv4 'wan'

Thanks
Neuro


Update:
before I change the interfaces:

After I tried to change the interfaces:

But when I restart banip the service switched back to the first setup.

The complete traffic will not be blocked...


Status:

when I disconnect lan1 = WAN_5G (failover/load balaning) and reboot the system, banip works fine with standard config eth1=wan(DSL).

Question:
How to setup banip with failover/load balancing correctly?

Thanks
Neuro

This config makes no sense, to block the entire Internet just use the allowlist only mode (see readme).

Disable the autodetection and set the interfaces manually, e.g.

1 Like

Thanks Dirk for your support!

Neuro

Hi @dibdot.. is there a way to reset the stats of the blocked packets without a forced restart of banip?

:::
::: banIP Set Statistics
:::
    Timestamp: 2024-11-13 05:09:01
    ------------------------------
    blocked syn-flood packets  : 12419
    blocked udp-flood packets  : 814
    blocked icmp-flood packets : 41095
    blocked invalid ct packets : 38117
    blocked invalid tcp packets: 0
    ---
    auto-added IPs to allowlist: 0
    auto-added IPs to blocklist: 0

I noticed that it just increases continuously. I generate a report daily to see the banip stats for the purpose of seeing new stats since the last time it was generated.

Disclaimer: IMHO counters are still WIP in nftables.

However, the named counters mentioned in your screenshot above could be reset with ...

nft reset counters inet banIP

Edit: There are also pretty strange workarounds to reset anonymous counters. For more information, see https://wiki.nftables.org/wiki-nftables/index.php/Counters.

1 Like

Thanks for this.. will also do some additional reading on the link provided

@dibdot i might found a issue please refer to edit :wink:

currently i use banip to block doh because i figured even when i changed the settings on chromium browsers to follow system dns if i would test it to 8.8.8.8 it would still use DoH even if i had set it off in Windows, this caused alot of issues when i was testing why my dns hijacking was failed.

now everything works fine on my lan, but on my wireless i kinda use a unusual setup :slight_smile:

on my wireless segment network wlan0, all traffic is blocked except to a wifivpn instance which is a local wireguard server this I then pre route with Strangri's pbr to wgclient.

so my traffic orginates like:
wlan0 -> wifivpn -> wgclient and wglient over wan.

when i set 8.8.8.8 dns on my wireguard android app i still see my dns is leaking and it goes over DoH, when I enable my own traffic rule to directly block 8.8.8.8 on 443 the hijacking works again.

could it be that my wifivpn isn't picked up correctly because it is a tunnel?

config:

config banip 'global'
        option ban_enabled '1'
        option ban_debug '0'
        option ban_autodetect '0'
        list ban_logterm 'Exit before auth from'
        list ban_logterm 'luci: failed login'
        option ban_fetchretry '5'
        option ban_nicelimit '0'
        option ban_filelimit '1024'
        option ban_deduplicate '1'
        option ban_nftpriority '-100'
        option ban_icmplimit '10'
        option ban_synlimit '10'
        option ban_udplimit '100'
        option ban_nftpolicy 'memory'
        option ban_blocktype 'reject'
        option ban_nftloglevel 'warn'
        option ban_logprerouting '0'
        option ban_loginput '0'
        option ban_logforwardwan '0'
        option ban_logforwardlan '0'
        option ban_loglimit '100'
        option ban_autoallowlist '1'
        option ban_autoallowuplink 'subnet'
        option ban_autoblocklist '1'
        option ban_allowlistonly '0'
        option ban_fetchcmd 'curl'
        option ban_protov4 '1'
        option ban_autoblocksubnet '1'
        option ban_allowflag '4443 4445'
        list ban_feed 'doh'
        list ban_blockforwardlan 'doh'
        list ban_dev 'pppoe-wan'
        list ban_dev 'wgclient'
        list ban_ifv4 'wan'
        list ban_ifv4 'wgclient'

Edit:

I think i was mistaken, it seems i moved my rules for blocking doh and they were always active, and the actually rules i used to test were for DOT, so naturally it makes sense banip doesn't work on those. :+1:

1 Like